How To Test For Command Injection

Testing For Command Injection

If you are not already familiar with the concept of Command Injection, we suggest that you review the article entitled “What Is Command Injection ?“.

Detecting Command Injection

Since it is usually not obvious which, if any, inputs might influence command-line execution, detecting Command Injection vulnerabilities is accomplished by “fuzzing” the inputs to the application with malicious Command Injection payloads.  This is a task that is facilitated by the use of automated testing tools.

Operating System (OS) Fingerprinting

Since malicious Command Injection payloads must be compatible with OS command-line syntax in order to be successful, it is useful to know what the target OS is.  Linux and Windows have some similarities in command-line syntax, but they also feature significant differences. Knowing the target OS will allow you to focus your attacks to those payloads with the proper syntax.

Command Injection Malicious Payloads

Since the actual command being influenced by an input is usually opaque to the security tester, it is necessary to try a variety of payloads to increase the odds that something will result in a noticeable behavior that indicates successful injection.  This includes:

  • Filenames
  • URLs
  • Command-line syntax that allows for the injection of arbitrary commands, such as statement termination and comments
  • Command-line syntax that allows for filename wildcards, redirection, substitution, and pipelines

Blind Command Injection

It is not uncommon that a Command Injection vulnerability exists and is exploitable, but successful exploitation does not manifest as observable behavior within the application.  That is, the application may be “command injectable”, but the effects of successful exploitation do not show in any way within the application.

Such scenarios give rise to the need to include indirect or “blind” tests as malicious Command Injection payloads.  This includes:

  • Invocations of programs that cause a measurable delay in application such as sleep and ping.
  • Invocations of programs that have discernible impact outside of the server such as ping, netcat, and curl.

Command Injection vulnerabilities can be among the most difficult security vulnerabilities to identify, but when present and exploitable, often are the most damaging.

For insight into how to avoid or fix Command Injection vulnerabilities, please see the article entitled “How To Prevent Command Injection“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and  train your developers and testers.  In fact, we train developers and IT staff how to hack applications and networks.

Perhaps it was a network scan or website vulnerability test that brought you here.  If so, you are likely researching how to find, fix, or avoid a particular vulnerability.  We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.

Contact us to learn how to better protect your enterprise.



Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.